People will be people. Over lunch, or a break, or even when they get bored with work, they lose or conveniently forget all you have TRIED to teach them. Some simply say "you weren't REALLY talking to me" and thumb their noses at rules and surf anyway.
Again, in our cases, some of these things come from hacked sites, so in many cases, user education would NOT have prevented the infection!
When you go to a legit business site and simply visit, or visit the local news site put together by a major company that specializes in doing web sites for TV stations and still get an infection, there is no user education in the world that could have prevented that - other than tell them when they come in in the morning to turn their computer off and don't touch the mouse or keyboard all day.
I do not know the reason, but I still to this day find things the scheduled scans catch that realtime did not.
I can give two examples from this last month - computers had "infections" - I used other tools to find the offending files, then copied said files to my quarantine server desktop then submitted them. The AV on the server dind't balk and freely let the files be copied. That night during the server scheduled scans, the files were flagged as infected! I thought great, the defs were updated, so we are fine. NO, I was again able to copy those same files to the desktop - NO trigger from SEP, and again, a scheduled scan caught them. Same scan engine? MAYBE, however, there were two cases where files were allowed to be copied to the desktop, but scheduled scans caught the files as infected.
Why? Why did AP miss, but the scheduled scan catch them? If they were encrypted in any way, should the scheduled scan not have failed?
We will never as long as I'm working here get rid of the scheduled scans. I've been doing this for far too many years to ever allow that, I've simply too much experience, have seen to many "exceptions".
Funny thing - users don't complain about slowness when a scheduled scan is happening - it's usually something else going on.
It does slow things down a bit, and it is noticable, but since my rule is if they get an infected machine and it takes more than an hour to deal with it - their machine gets taken away while a new one is built for them. They soon learn.............
Your users must be saints to listen to you and not do a single thing to ever get an infection............. in the real world here, it just don't work that way. And there's no way I'll allow a "dormant" infection to stick around - too many "what ifs" like what if the AP stops working, or what if the defs get corrupted or the service is stopped by another infection (it happens)